How to Convert Your Old, Boring Queries to KQL for Azure Sentinel

Migrating from a legacy SIEM can seem like a daunting task, particularly when you’ve built so much into the existing tool over the years. You have use cases, queries, reports, etc., that you would still like to take advantage of in Azure Sentinel.

I hear this quite a bit, and we do a good job helping our customers retain the important stuff as they modernize their security operations. But, we’re also quick to point out that one of the reasons a customer is interested in Azure Sentinel is because their old, tired SIEM has actually become a part of the problem. Shifting to Azure Sentinel allows customers to better efficientize their thinking and take a much better, more modern approach to monitoring and securing the environment. But, that doesn’t mean that everything is lost.

KQL (the fantastic query language and data scientist’s tool of choice) is the lifeblood to Azure Sentinel. This query language powers the logic behind our Analytics Rules, the data sampling for our Hunting queries, and the visualizations in our Workbooks. Becoming KQL proficient is important. But, for those that have a long list of stored queries from old systems, why start from scratch if you don’t have to?

I talk about this often during my Azure Sentinel workshops, but was reminded today that there are a slew of others out there that have never heard of this valuable tool.

SOC Prime (a fabulous SIEM service) has a valuable tool called Uncoder that takes one query type and can translate (or convert) it into any other type.


Obviously, the tool is not perfect. Some queries work, some don’t. But, it’s a good first step in trying to retain old use cases and pre-developed queries – again, without starting from scratch.

Here’s a couple additional resources that might interest you.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]